Mark Morowczynski from our Customer Success Team is our guest blogger today and he’s going to be sharing some tips on deploying and using Self-Service Password Reset. To give credit where it’s due, the Azure AD Mailbag series was Mark’s idea in the first place. So if you like this series, makes sure to let Mark know!

Hey y’all, Mark Morowczynski here. You might remember me from my days on the AskPFEPlatforms blog. I’ve escaped the cold and pizza of Chicago for the rain and granola of Seattle and joined Active Directory Customer Success Team that Ryen Macababbad talked about here earlier. So far the feedback of these mailbags has been really positive so we’ll keep at them. This mailbag will focus on Self Service Password Reset (SSPR). Let’s dig in.

Question: I’m currently testing out SSPR and I’ve set my verification method to one but every time I try this, I get prompted for two verification methods. What is going on here?

Answer: You are most likely testing with an Administrative account. These accounts require that two methods to perform an SSPR. Make sure you are testing with an end user account. There is a wealth of good SSPR troubleshooting found at

Question: We are a global company and for our security questions we only see English. Is there an option for multiple languages?

Answer: Yes! Just use the “knowledge-based security questions” option when setting up password reset. This will actually work automatically based on the browser language that is set. However any custom questions you write yourself, will NOT be translated automatically. As you can see below my custom question is still in English but everything else is in Spanish.

(it’s the Mets)

Question: I’ve turned on Self Service Password Reset and it’s open to all users but nobody is registering. What do I do.

Answer: If your users frequently sign in to web apps, like Exchange Online, SharePoint, or an integrated SaaS application such as Salesforce or Workday, then your best bet is to use the password reset “Enforced Registration” feature. To turn this on, just go to the Azure Management portal, click on your directory, and on the “configure” tab, make sure the “Require users to register when signing in?” toggle is set to “yes”.

Once you turn this on, your users will see the screen below when they sign in, which will take them to the password reset registration page where they can provide their authentication info. Don’t worry, we won’t block your users from signing in, they can cancel and choose to register later if they want.

If your users do not frequently sign in to web apps, don’t worry, you can still get them registered for password reset. Check out the best practices guide for resources and instructions on how to get going.

Question: I love the SSPR functionality but my users authenticate with AD FS. Is there a way I can leverage SSPR with ADFS?

A: UpdatedApril 2nd 2017

For a more complicated use case follow the steps below of modifying the ADFS Theme. First try the following:

Absolutely! It only takes three steps using AD FS 2012 R2 web theme customization to add a nice “Can’t access your account?” link in the sign-in page like below:

Step 1: Create and export the AD FS Web Theme

Use Windows PowerShell to create a new AD FS web theme from the current one and to export its different resources to your local disk. We will use this new theme to add the link directing users to the password reset page. Just type in the highlighted commands: “New-ADFSWebTheme -Name ADFSAndSSPRFun -SourceName default”. “Export-ADFSWebTheme -Name ADFSAndSSPRFun -DirectoryPath C:customization”

After this step, all the images, CSS, scripts, and other resources will be available in the local directory you specified (in this example c:Customization). The folder structure should look like this:

Step 2: Tweak onload.js to add the link

Edit the onload.js file, (located under the “script” folder in the root directory you exported to in step 1) and add this little script snippet at the end. This will add the link at the end of the page:

// Add link for password reset, if we find the forms authentication element in the pagevar formsAuthArea = document.getElementById(“formsAuthenticationArea”);if (formsAuthArea){//Create the hyperlink

One of the bits of feedback we received from our last post is we didn’t make it very clear on how to interact with us. First you can follow us on Twitter at @AzureAD. We have also set up an email address where you can send in your questions at AskAzureADBlog@microsoft.com. I also want to point out we have the Microsoft Forums here. Finally if you found this post useful please share it on Twitter with @AzureAD, @MarkMorow and @Alex_A_Simons. We love hearing feedback from our readers. Talk to you next week!

Recent Posts from EMS Leaders

Everyone (and I mean everyone) on the Microsoft 365 team has been pursuing some very ambitious goals in the ten months since we launched Microsoft 365. Those goals have all been laser focused on one key thing: Helping our customers effectively navigate their own unique path towards the digital transformation that they need to succeed...

Howdy folks, Today I’m happy to announce the public preview of the PingFederate configuration integration in the latest release of AADConnect. With this release customers can easily and reliably configure their Azure Active Directory environment to use PingFederate as their federation provider, and we’re excited to offer a more seamless integration experience to our customers....

If you ever got to shadow a Microsoft leader for a day and listen in on the meetings they attend, I think you’d be surprised by how much time is spent talking about how to support the day-to-day work done by IT Pros. We think about this constantly. A lot of answers to these questions...

On Wednesday we announced that the Microsoft Intune APIs being surfaced through Microsoft Graph have been moved from “preview” to Generally Available. We are really excited about this milestone, and we look forward to learning how to make it even better as you give us feedback and direction on the way you want to use...

Last week at Microsoft Ignite, more than 25,000 IT professionals converged in Orlando Florida to learn about Microsoft’s technology advancements, skill up across new products, and meet with Microsoft experts. For EMS we unveiled a wave of new capabilities, presented more than 45 sessions, and met with thousands of customers. I wanted to take a...